Like a super strain of bacteria, the rootkit plaguing Dragos Ruiu is omnipotent.

Share this story

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world's foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer's Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw. (A compilation of Ruiu's observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he's no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu's computers and networks.

In contrast to the skepticism that's common in the security and hacking cultures, Ruiu's peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

"Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS," Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: "No joke it's really serious." Plenty of others agree.

"Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest," security researcher Arrigo Triulzi told Ars. "Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever."

Been there, done that

Triulzi said he's seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer's peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It's also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

"Really, everything Dragos reports is something that's easily within the capabilities of a lot of people," said Graham, who is CEO of penetration testing firm Errata Security. "I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy."

Eureka

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," he explained.

He still doesn't know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month's PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

"It's going out over the network to get something or it's going out to the USB key that it was infected from," he theorized. "That's also the conjecture of why it's not booting CDs. It's trying to keep its claws, as it were, on the machine. It doesn't want you to boot another OS it might not have code for."

To put it another way, he said, badBIOS "is the tip of the warhead, as it were."

“Things kept getting fixed”

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."

It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

"It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was," Ruiu concluded in an interview. "The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers."

Promoted Comments

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected.

Yeah, I'm not sure why that didn't occur to him earlier. If a machine is disconnected from everything else and you use one of your USB drives to do a fresh install... Gee, where do you think the viruses came from?

Assuming this is real, it must have taken a tremendous amount of effort to create, and all that effort is now going to waste as they (for some reason, probably accidentally) infected a security researcher. This is an entirely new attack vector; it would have been intended to be used sparingly on major targets only. Someone got fired over that huuuge mistake.

Interestingly, this exposes a seldom-discussed downside of using an Apple computer. Their product line is extremely small, which means that hardware-specific attacks and firmware attacks like BIOS rewrites are much easier to do.

Several people have said that they don't believe a machine can become infected from its microphone. To repeat what Gracana said, that wasn't claimed. The claim is that infected machines whisper to one another using ultrasound. Somehow this fixes bits of the malware as it is being attacked.

Even if the machine being repaired is tethered to the Internet via ultrasound, would the mothership really have the bandwidth to "telnet in" and make repairs?

As a journalist for more than 17 years, I have never written a spoof story for April Fool's Day or any other holiday. I certainly had no intention of doing so with this article. It's completely coincidental that this story ran today, on Halloween.

The ninth paragraph of my article reads:

Quote:

At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw.

Here and elsewhere in the post, I have tried to make clear that many of the details of this article sounded far-fetched to me. They still do. I have also tried to be transparent that no one has independently corroborated Ruiu's findings. That said, these same details have been publicly available for more than two weeks, and a large number of Ruiu's peers find them believable.

I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

I have no doubt that researchers will pore over every laptop and USB drive Ruiu makes available and independently arrive at their own conclusions. I fully intend to report whatever they find. If they find no evidence to support Ruiu's account, Ars readers will be among the first to know.

Quick answer: The Chinese built a rootkit into every Intel compatible machine for at least 5 years.

What's the ultimate rootkit? SMM running from the BIOS, which is invisible from any OS you boot. How is it loaded? There is some hidden memory in the flash chip, that is revealed and executed after reset. You would not be able to access by other means. Who makes these chips? I suspect the Chinese. The chip could also have a primitive wireless transceiver.

Just informed speculation. NSA would be another guess. I only read a few pages of comments and was surprised SMM didn't get mentioned.

Everything that is has to do with bits, frequencies and radiation. Create a device capable of putting together radiation emitted from deleting something from your drive and there you go - "on-fly" backup or "ad-hoc" information stealing.

Don't think it's possible to send bits of information or frequency waves to a device port/hardware and those to be interpreted as "legitimate" by the machine OS? Think twice. Everything has to do with bits, frequencies and radiation.

Great work of those who made this work, great work of the sec. person.

Much of what he talks about seems viable - but in 3 years he has not made an attmept to get new hardware and new software source and do installs and setups in a separate location w/ 100% clean everything and run it independently past the longest point of infection to see that new gear ends up doing the same thing ?

Alzheimer's patients have been know to do things and then forget they did them - could he have locked himself out of Root or locked the option to external booting and forgot he did it ? Also the condition has known cases of early onset.

Also - where is the install software coming from that was put on each USB devices to do the computer install in the first place ?

Were they clean or run from an already infected machine ?

Another thing - there has to be code sitting someplace. I seriously doubt that with his accolades there is code sitting on a systemn that has been hiding from him for 3 years. If this mysterious code has ties to Unix / Linux / Windows and can jump OS types - the dormant code not in use would be readily detectible. If it was not - then probably means that the source was pushing only the code for that OS to the destination. Which means he might have some bugged device in his work area that has the source sitting on it. (Source as in source of the malware - not uncompiled source code).

Why not grab a fresh machine - disable all network and connection types - physically go in and remove the camera / mic / speakers then boot it up and see if it gets infected.

I don't know - sounds like the beginnings of John Nash Jr's life.

Well, it doesn't seem such a bad thing being that. In the end, John Nash got a Nobel prize in economics, based on a mathematical theory which has since changed the economics worldwide.

Everything, in all that is, has to do with frequencies. "Sing" the right "song" and you will manipulate matter as you wish. You think because an operating system is designed to work a hardware in a way, that there's no frequency which cannot change that? All you have to do is know how that OS or OS's are functioning. From there on then, you just need to put the "musical notes" to "sing the play".

Much of what he talks about seems viable - but in 3 years he has not made an attmept to get new hardware and new software source and do installs and setups in a separate location w/ 100% clean everything and run it independently past the longest point of infection to see that new gear ends up doing the same thing ?

Alzheimer's patients have been know to do things and then forget they did them - could he have locked himself out of Root or locked the option to external booting and forgot he did it ? Also the condition has known cases of early onset.

Also - where is the install software coming from that was put on each USB devices to do the computer install in the first place ?

Were they clean or run from an already infected machine ?

Another thing - there has to be code sitting someplace. I seriously doubt that with his accolades there is code sitting on a systemn that has been hiding from him for 3 years. If this mysterious code has ties to Unix / Linux / Windows and can jump OS types - the dormant code not in use would be readily detectible. If it was not - then probably means that the source was pushing only the code for that OS to the destination. Which means he might have some bugged device in his work area that has the source sitting on it. (Source as in source of the malware - not uncompiled source code).

Why not grab a fresh machine - disable all network and connection types - physically go in and remove the camera / mic / speakers then boot it up and see if it gets infected.

I don't know - sounds like the beginnings of John Nash Jr's life.

Well, it doesn't seem such a bad thing being that. In the end, John Nash got a Nobel prize in economics, based on a mathematical theory which has since changed the economics worldwide.

Everything, in all that is, has to do with frequencies. "Sing" the right "song" and you will manipulate matter as you wish. You think because an operating system is designed to work a hardware in a way, that there's no frequency which cannot change that? All you have to do is know how that OS or OS's are functioning. From there on then, you just need to put the "musical notes" to "sing the play".

We give Dragosr some benefit of the doubt because he actually understands and practices security for a living. Your unhinged babbles are not helping his case any.

Much of what he talks about seems viable - but in 3 years he has not made an attmept to get new hardware and new software source and do installs and setups in a separate location w/ 100% clean everything and run it independently past the longest point of infection to see that new gear ends up doing the same thing ?

Alzheimer's patients have been know to do things and then forget they did them - could he have locked himself out of Root or locked the option to external booting and forgot he did it ? Also the condition has known cases of early onset.

Also - where is the install software coming from that was put on each USB devices to do the computer install in the first place ?

Were they clean or run from an already infected machine ?

Another thing - there has to be code sitting someplace. I seriously doubt that with his accolades there is code sitting on a systemn that has been hiding from him for 3 years. If this mysterious code has ties to Unix / Linux / Windows and can jump OS types - the dormant code not in use would be readily detectible. If it was not - then probably means that the source was pushing only the code for that OS to the destination. Which means he might have some bugged device in his work area that has the source sitting on it. (Source as in source of the malware - not uncompiled source code).

Why not grab a fresh machine - disable all network and connection types - physically go in and remove the camera / mic / speakers then boot it up and see if it gets infected.

I don't know - sounds like the beginnings of John Nash Jr's life.

Well, it doesn't seem such a bad thing being that. In the end, John Nash got a Nobel prize in economics, based on a mathematical theory which has since changed the economics worldwide.

Everything, in all that is, has to do with frequencies. "Sing" the right "song" and you will manipulate matter as you wish. You think because an operating system is designed to work a hardware in a way, that there's no frequency which cannot change that? All you have to do is know how that OS or OS's are functioning. From there on then, you just need to put the "musical notes" to "sing the play".

We give Dragosr some benefit of the doubt because he actually understands and practices security for a living. Your unhinged babbles are not helping his case any.

It only makes me congratulate you for the top position of being such a "cheif-in-charge-all-judging". In big part, that's why the world is there it is nowadays. If all that I said are "babbles" to you, and most probably others (since you refer to as "WE"), then no wonder you have no clue. Take care, secure safely.

As a sub-note: Doesn't it trouble you that you always need to "patch" things up that others did, obviously better than what you were using at a certain time? Then doesn't it trouble you, and others, that you will need to again and again patch, patch, patch things up as the other side is making way through? I don't know...just wondering, Mr. all-judging, baddling-badging.

it is kind of odd that there is such a surprise to the nature of this type of infection considering how generic off the shelf OEM technology has become available to the masses. The USB bus is an open technology Architecture that in its own right a mini-computer, Each device has a micro-controller that is one of many mainstream SOIC like FTDI, ATMEL, Microchip, STMicro, and Sypress semiconductor, not to include there are many Chines made controllers that all do what we think is play by the rules.. however there is no stopping a micro controller from executing other instructions. One major problem is not only can there be coded subroutines programmed into the chips program memory but also can be built right into the silicon and you would not even know it was there.. Another major flaw to the USB Buss Architecture is it cannot monitor how many physical USB devices are actually connected to the bus so if a USB flash drive had maliciousness code it could very well mimic another USB device and perform both functions, Also it can sniff out other drives and grab raw data from any memory storage device regardless if it is encoded. Any device as long as it has re writable memory is vulnerable to be replaced by new code as long as the USB controller was specifically looking for such a device, however The USB device could access the internet and send data as to what type of system it has been attached to and what ever server picked up the data could make a decision on what action to take next could send it a payload of instructions and provide necessary keys to perform strong arm take overs of any hardware it wont's. how could it do this? well if I personal don't have access to pacific hardware through the USB bus then all I need to do is find out what hardware has access and reprogram that hared ware and from there I'm in the PCI bus once in I have controller over every system peripheral connected to the host. Another Doomsday scenario would be if a nation was to put into the market chips that had hard coded subroutines built into the silicon and a time came when a bad USB device was connected it could tiger a sleeper cell like attack, A true Trojan horse. One thing is never discussed is lets say a micro controller has Analog inputs and is wired for and comparator circuit, I then could monitor noise fluctuations of frequency down to very small powers and if the controller could make out actual data it can use then interfering with the power grid data could be sent via power line, not including electromagnetic interference if there was a antenna build into the etched circuit board. This is just the tip of the Ice-burg of what is possible and what we do as experiments in Computer Science labs all across the world. As a footnote the last thing I just discussed realistically could only be done if a powerful nation was to sponsor such development activity, so you know who the likely suspect that would be involved.

The author use the new possibilities in browsers of synthesising and capturing audio to transmit data.He use a similar technique that been use to transmit data with the old dial-up modems that we know (even if 20-something have less chance to have experienced this).

The fact is I've done this. I built a system that transmitted data this way. It wasn't easy and I find it impossible to believe that a virus-writer would choose to transmit data this way and more importantly that he could hide it.

Basically, what this guy is arguing is that the virus-writer has re-written part of both Windows and Linux, the sound management system, to silently shim all the drivers (I think this is probably impossible) to invisibly turn on the mic and speakers and then uses only sounds not detectable to the human ear (again, I don't even think this is possible with the hardware) to transmit data between the infected nodes. And all of this is stored in BIOS code on the computers.

The virus he's describing is far more sophisticated that the most sophisticated virus ever found, Stuxnet, that was made by US/Israeli intelligence to attack specific Iranian systems. And how Stuxnet worked, it's level of sophistication, and who created it was very quickly discovered.

I think this guy is wrong. Either he's flat out lying, or someone at his workplace is infecting the systems with a thumbdrive behind his back.

What he's saying is that someone has figured out how to hack the POST beep code function to transmit data via ultrasound. And yes, that's what he's saying. If this was the virus altering the operating system he would be able to detect that easily. The alternative is that someone has figured out how to load an entire operating system into the BIOS (and not a shim or bootloader, but the ENTIRE OS).

Again, I don't understand how this was all done SILENTLY. The BIOS looks identical to a real BIOS and has all it's functions. Worse, he reports do this on completely different systems, like a MacBook Pro and a Linux desktop that don't have BIOS' that are even remotely similar.

I just finished writing a very lengthy explanation of a possible avenue of attack and when I clicked post, it got killed by my session timing out. So, I will perhaps a shorter version will suffice.

Has anyone considered anti-theft software as a vector for this thing? The persistence of this thing rang a bell in my head last night which finally surfaced for me this morning. Take Absolute Software's Computrace as an example. It is made up of two components. A client which lives on the hard drive, and a persistence module and its settings which live in a protected area in the BIOS. On Macs the persistence module lives in a partition gap. The Mac version would be pretty easy to compromise, the BIOS version would obviously be more difficult, but not impossible, using a bios overrun someone else posted about earlier.

Who would know how to modify something like this? A disgruntled former employee who needed cash? Reverse engineering the code would be tedious but could be done given enough funding, time or motivation. So lets say that someone did modify the persistence module to ensures that an agent exists on your hard drive that does what they need it to do. Modifies it so that it sends the normal Agent data to the Absolute Operations Center, and the other data to wherever it is that the compromise came from. Modifies it so that the agent can be updated with new features, features such as: logging your keystrokes, watching your screen, adding, deleting and modifying files or settings, listening to you by activating your microphone, watching you by activating your built in video camera, or installing air-gap software. APIs are great because they keep you from having to have a significant amount of code.

Please note that I am in no way implicating Absolute as an active participant in this just as a possible vector.

Anyway, it was a twilight thought in the shower but I had to get this out so it wold stop bugging me.

I just finished writing a very lengthy explanation of a possible avenue of attack and when I clicked post, it got killed by my session timing out. So, I will perhaps a shorter version will suffice.

I've gotten in the habit of copying long posts to the clipboard before hitting "Leave your reply". The BBcode is completely self-contained, so you can just paste it in as a "new" comment at the bottom of the story if something went wrong in the post.

I just finished writing a very lengthy explanation of a possible avenue of attack and when I clicked post, it got killed by my session timing out. So, I will perhaps a shorter version will suffice.

I've gotten in the habit of copying long posts to the clipboard before hitting "Leave your reply". The BBcode is completely self-contained, so you can just paste it in as a "new" comment at the bottom of the story if something went wrong in the post.

I just finished writing a very lengthy explanation of a possible avenue of attack and when I clicked post, it got killed by my session timing out. So, I will perhaps a shorter version will suffice.

I've gotten in the habit of copying long posts to the clipboard before hitting "Leave your reply". The BBcode is completely self-contained, so you can just paste it in as a "new" comment at the bottom of the story if something went wrong in the post.

Lazarus Form Recovery is a free browser add-on for Firefox, Chrome and Safari that autosaves everything you type into any given web-form. We've all had the frustrating experience of spending ages getting a form entry just right, only to suffer rage and disgust when all that hard work is destroyed, whether it's a website timeout, a browser crash, a network failure, or just a cat wandering across the keyboard. Lazarus makes recovering from such mishaps painless in most cases, and we're working on the rest of them!

I'm far from an expert but it seems to me that the only people who can protect OEMs' firmware (or allow for exploits) are the OEMs. If they're not protecting their firmware, it seems they should come under heavy suspicion.

Before you sneer at the thought of OEMs being mixed up in murky business, I might draw your attention to Microsoft's thoughts on the OEMs in Asia selling ludicrously corrupted systems brand new from their flagship stores.

MANILA, Philippines - At a press conference on Monday, February 25, Microsoft announced the results of a forensic study on malware threats...The study looked at a total of 282 samples made up of 216 brand-name PCs...sourced from Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.

After examining the computers and DVDs, Microsoft noted a malware infection rate of 69%, increasing 6 points from its initial study done in December 2012. A total of 68% of the sampled computers contained malware, and 74% of the sampled DVDs contained malware.

The study notes that even well-known PC brands were affected by the malware issue. Microsoft thinks, however, the manufacturers themselves weren't to blame.

I'm far from an expert but it seems to me that the only people who can protect OEMs' firmware (or allow for exploits) are the OEMs. If they're not protecting their firmware, it seems they should come under heavy suspicion.

Before you sneer at the thought of OEMs being mixed up in murky business, I might draw your attention to Microsoft's thoughts on the OEMs in Asia selling ludicrously corrupted systems brand new from their flagship stores.

You left out an important bit:

"Instead, the company believes the computers were using non-Windows operating systems, which were replaced in the downstream supply chain or retail channel with malware-laden counterfeit Windows operating systems. Their study also showed evidence that some of their sampled computers had their hard drives swapped with inferior drives that may have had the malware pre-installed."

Or to put it bluntly, Microsoft is saying that Southeast Asian computer retailers are dishonest.

First, it's important to understand that we're probably seeing a lot of false positives here. The retailers installing pirated Windows are usually using cracks downloaded off the internet to remove the copy protection and a lot of those cracks behave like malware and show up as malware in automated scanners, even though they are not. Of course, there are also lots of cracks that actually contain viruses and malware. In fact, this is one of the easiest ways to get nasty malware.

It's also possible, especially in the case of "ransomware" and keyloggers, that the retailers are associated with mafia organizations and are deliberately installing malware. This is probably a lot less common that false positives and accidental infection.

Those OEMs are contributing somewhat by selling PCs sans OS, or with DOS or generic Linux, knowing that retailers are probably going to put pirated Windows on them.

This scenario isn't even remotely similar to a BIOS with a built-in backdoor.

What he's saying is that someone has figured out how to hack the POST beep code function to transmit data via ultrasound. And yes, that's what he's saying. If this was the virus altering the operating system he would be able to detect that easily. The alternative is that someone has figured out how to load an entire operating system into the BIOS (and not a shim or bootloader, but the ENTIRE OS).

Again, I don't understand how this was all done SILENTLY. The BIOS looks identical to a real BIOS and has all it's functions. Worse, he reports do this on completely different systems, like a MacBook Pro and a Linux desktop that don't have BIOS' that are even remotely similar.

As a service to future readers of this long thread, let me just add that February 2015 added some very interesting details to this whole ordeal.

It was revealed that a group of hackers had the capability to infect the firmwares of hard drives from virtually all major manufacturers. The group, which has operated for more than 14 years, is suspected to have ties to (or being an actual part of) the NSA.

So lets face it: In February 2015 the claims from this guy started to sound quite plausible, and the criticism of him may very well have been premature.

No, it still doesn't sounds any more plausible than before. We still haven't seen the sound-propagating, multi-OS, undetectable über virus that Dragos has been claiming to be the victim of (see here for a list of the claimed properties of that malware). Nobody has seen anything wrong in the few samples he sent out (only to private and mostly anonymous sources) and he never "had time" to upload any of his "findings" anywhere anyone could have a look at it.

No evidence, wild claims (some of which are so implausible you might as well call it magic), no follow-up: this ain't a virus, it's a conspiracy theory.

There is nothing (technically) new to the NSA story but the fact that they did it on a massive scale and much earlier than anyone expected.

It was revealed that a group of hackers had the capability to infect the firmwares of hard drives from virtually all major manufacturers. The group, which has operated for more than 14 years, is suspected to have ties to (or being an actual part of) the NSA.

Pretty clearly the "Equation Group" *is* the NSA or an NSA contractor.

"One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate."

Do we have outside confirmation this is actually happening? It would be a LOT easier to alter the drivers in Windows/Linux to create the same effect (a hidden disk partition).

And just so you know, this type of malware is highly unusual. It's designed to resist forensic examination, and most hackers aren't so concerned with hiding their tools.

I have yet to see any evidence that this has actually happened (using ultrasound to transmit data) anywhere other than an isolated lab using highly-specialized equipment. I've seen no evidence at all that you can do this with the very poorest quality speakers/microphones made, the cheap ones in laptops. I have yet to see anyone demonstrate that anyone can even *access* the mic/speakers using a shimmed BIOS, let alone shim a complex data-transmission technology into the BIOS. And again, even conceding all of the above works and you could do it, you would have to create a custom BIOS for each device, a monumental amount of work.

Yes, in theory, the NSA could do this. Nobody else could and there is no evidence anyone has.

Do we have outside confirmation this is actually happening? It would be a LOT easier to alter the drivers in Windows/Linux to create the same effect (a hidden disk partition).

We probably never will barring another Snowden. But if a hobbyist can do it for one drive without even having datasheets for the chipset, a general package that can exploit 5 or 10 common chipsets certainly doesn't seem out of reach for a talented group with a big budget.

ALRIGHT !!!! I believe you, and sadly I can say..... I have this virus. Let me explain. I can confirm it. I was a college graduate in 2014, top of my class, first in the state, 6th over all in the Nation at the National Leadership Conference in Indiana at the Business Professionals of America competition. I have formatted, flashed, partitioned, Fdisk, and spent over 2 solid months trying to tear it apart. Here's what I know. Immediately after installing, it creates a tunnel adapter to get to the INTERNET using IPv6, policies to invoke certificate generation, so everything appears good on the up and up. Next it tells you to reboot your system to finish installing updates. Here is where the tinfoil hats need to to be put on, Upon reboot it creates 4 partitions, two on the HD. MBR on the HD, encrypted partion on the HD. 1 in the BIOS. It uses 3 different file systems, Dos 2.0, Linux, and the Bios on the motherboard. Using Shield the fat16 protects the Linux, The linux, in turn protects the fat16 Dos partition, There are 2 instances of command prompt hidden. When typing C:\ you get one location, typing c:\ c:\ you get another partition that are hiding in the Dos 35mb. I could not believe what I was seeing, I thought I was loosing it. I installed with a certified OS from Microsoft. It would not let me delete the MBR. So I thought let it run its course. The CD never spun up to read the disk. I looked at my network traffic, and I was ****** in disbelief. My profile in my contacts my phone number, everything I typed, every site I visited, was channeled to a server that replicated Microsoft Update, Majorgeek, many others, and they had complete control of my PC, through my SMbus, Graphics, Microphone, keystrokes, and files. all while I was on a 64 bit system running in 32bit mode, they controlled the resources, and everything about me. I sound like an ID10T saying this. I would not open my mouth if I were not 110% sure of my finding. There is a lot more to this then somebody in his mothers basement. This is a complete breach of privacy in the largest sense. Oh ya, and before I could pull the RJ45 out of my daughters pc, it was to late and 2 other computers. The clue to finding this is in the Python folder IIS, system environment variables set to CVT/bin/AMD/0/0/0/0/0/0/. I will post some Imgur links shortly. I have not slept for 2 months working on this. Om tired. and I can't sleep.

I read this a few years ago and it sounded a lot like something I've had going on for a while that I could never get rid of due to some other security issues. I don't know if what I have is transmitted with audio waves or if it's just using out of range radio frequencies... what's the difference though really? It's all part of the spectrum, and you'd think there would be some simple way to see what is being transmitted at what frequency. I still can't find something that will do that and have often just thought about finding books from a hundred years ago when people were still interested in understanding what things did instead of just snagging lesser tech to make something else even more complicated and unnecessarily bloated. But with all that bloat and confusion it's easy to hide anything you want in there and just say, "Well, I don't know what it does either but I'm sure it's nothing..." if anyone questions it. And think about the backdoors the government requires computer companies to include. They've got to hide those somewhere! But I do know that you can inject code into startup audit comments and use errors or break characters to circumvent the boot process... or steal dolby channels to run IRQ commands via a bus daemon. There was a whole video on YouTube where a guy managed to figure out that his Apple battery was hackable, and that kind of thing would be just enough space to store an MBR replacement or reroute the startup init or whatever you want. And don't even get me started on hiding code in remote regions of Unicode fonts or in color profiles and printer description files and all those things you see and think, "Does anyone actually use these things?" but I used to be a graphic designer, so I actually did... when they weren't messed up.

If anyone knows of someone that wants to buy some broken phones that probably have all this kind of crap on them, please let me know. There's something special about them because I don't think it's normal to use gold for the contacts instead of regular solder. And I have seen some amazing things, but so far I haven't learned how to reliably conjure gold from circuitboards.

And just curious... does everyone else have handwritten sharpie initials on every single computer board you own? Should an old analog VCR have more circuitry on its board than a computer server? And after decades, should there be not a single trace of dust inside? And should the circuitboard be green if it's that old? Are you crazy and psycho if you've been forced to just accept and live with hacked everything for the last several years of your life or can you blame that on someone else?

Here's some advice. Put down your devices and go look at what God created outside. He's the only one that can make something perfect, and it's a nice reminder and inspiration for when you come back to tackle the very wonderful but still not quite perfect technology that we have created. There are a lot of ideas out there and Im pretty sure you can find a computer design in the Old Testament. Makes sense that God Who knows all time would hide mysteries like that to be unraveled by future generations when the time was right. And then all those hidden patterns and codes would prove His omniscience. And He is actually the only god I know of that really designed anything so masterfully and well thought out. All that to say, there is a lot of inspiration to be found in the Bible too. It's not just a book that condemns people.

Sorry for the (ark) tangent. Just thought some Knights Templar type comments might make the radio wave jumping sound less crazy and wild. And wouldn't you rather be treasure hunting than mindlessly clicking your way through things that you don't understand that are covered in ads anyway?

I don't care what anyone says or writes, it is not physically possible for an unpowered computer, network or wireless device to turn on, transmit, infect or otherwise enumerate, much less spread malware. This story is ridiculous.

I don't care what anyone says or writes, it is not physically possible for an unpowered computer, network or wireless device to turn on, transmit, infect or otherwise enumerate, much less spread malware. This story is ridiculous.

Define "Unpowered".

A motherboard in stand-by mode still has power on the Ethernet controller. A computer in Suspend mode (S3 or S5 state) still has power on the Ethernet controller, USB bus and USB host controller. And in both cases, the BIOS is obviously powered on as well.

Having said that, let's not revive this old thread any further... It's almost 2 years old ;-)

I don't care what anyone says or writes, it is not physically possible for an unpowered computer, network or wireless device to turn on, transmit, infect or otherwise enumerate, much less spread malware. This story is ridiculous.

Well, it is physically possible. Malware is made of code which is made of characters which is made of numbers which is made of electricity which is made of electromagnetic waves. With any of the radio components in almost any device these days, and with some modifications to drivers and/or libraries, they are able to leave any wire and go flying through the air. And you can hide little bits and pieces of those numbers and characters all over the place as seemingly extraneous or illegible nonsense. Then you arrange it in such a way that it is recompiled by either a script or even just an online web app that pieces it together. And for that matter you can just hide the link instead of all the code which means morse code made from extra white spaces (or something else off the top of my head) wouldn't be so hard to transmit using light or sound.... because they are all just waves. And you just need a transceiver. The only thing a protocol does is define wavelength. Beyond that it's just code after the transmission has completed.

That's why it's important for people to be clueless about how things work, and it's important for them to think that they are too stupid to fix anything. And it's important to make sure they are made to feel paranoid if they even question anything at all. And the fact that it's strangely difficult to find anything that just tells you what is registering on what band is probably not a coincidence. If you could see the amount of radiation flying around, especially when a single cell phone is almost at the max limit for acceptable radiation according to the FCC... and that's just the one phone by itself... then I doubt we would be so excited about how fabulous the latest iPhone is or how many features Samsung's newest whatever has built in. But I would expect a decline in cancer, though, and less need for chemotherapy.

"Thinking of the current in an ordinary power line was made up of waves is perhaps an unusual concept of electricity, but one that nevertheless is true. Merely increasing the frequency of such a current to about 6,000 cycles a second makes this radiation leave the wires and be transmitted into space."

I think that got edited out in a later edition as they slowly started moving toward a 30-minute PowerPoint format. But in all honesty, you would not believe some of the inspiration and ideas you can find in these old books. And so much more care goes into the content than anything online which is often careless and fueled by emotion that can get out of control when you aren't kept in check by someone else's body language or presence that keeps you from ignoring any responses.

Speaking of waves, though... will someone do me a favor and next time you're at a major event, tell everyone that when they do the wave to focus all their energy on asking God to send Jesus back? That's the only was I see us having any hope the way things have gone with all of this. I'm serious. I don't even own a phone or computer anymore because it's so ridiculous what goes on behind the scenes that we all just accept. But partly under duress, since you can't use your phone for essential life tasks without clicking that accept button for whatever ridiculous terms and conditions are put in front of you. Which is stupid... because with the topic of this whole thread having to do with hacking, I promise you there is no way to know whether what you see on your screen is actually what was intended for you to see. Fonts with missing characters even could render it inadmissible. How do you know for sure I got the same version? That someone didn't copy and paste the wrong thing? That there wasn't a man in the middle?

I don't care what anyone says or writes, it is not physically possible for an unpowered computer, network or wireless device to turn on, transmit, infect or otherwise enumerate, much less spread malware. This story is ridiculous.

Define "Unpowered".

A motherboard in stand-by mode still has power on the Ethernet controller. A computer in Suspend mode (S3 or S5 state) still has power on the Ethernet controller, USB bus and USB host controller. And in both cases, the BIOS is obviously powered on as well.

Having said that, let's not revive this old thread any further... It's almost 2 years old ;-)

Two years is not old at all! But why would the BIOS still be powered on after boot?

Also found something along the lines of what I was talking about that I would be very interested to get an opinion about. And I don't want to start a new thread because I think this relates to the topic here and that would get lost if I did that. And I'm sure johnspublicdefender doesn't care, but that's exactly the attitude that perpetuates ignorance and an app store full of games that are nothing more than "PUSH BUTTON COLLECT REWARD." And even AppleCare techs are unable to explain why plist files like this are not in XML format or something that isn't binary. I can't imagine why you'd want to obscure property list files since the whole point is personalization.

Cause here's the thing. I know damn well that there are way more people connected to this computer than have any business being there, and it's really destroyed my life. Literally. And until that changes, I will not be able to even talk about more beautiful things and get on with my life and accomplish anything more than try to make sense of this mess and watch porn. Because whoever is on this computer also thinks it's funny to make sure I can't even have sex. But that's another story. So I just channel all my sexual frustration into stirring up two year old posts as an excuse to try to get someone to see that these things I've posted are not normal and not ok. And may God have vengeance on anyone who alters anything of mine from now on. And to all the people who keep breaking into my room leaving blood stained glass shards on the floor or taking sketches or who knows what else... may you or whoever made you do it be miserably cursed until you return them. Because I am really sick of all of this crap going on that no one thinks is worth even acknowledging, and I have no more left in me to forgive a world full of critical and self-righteous hypocrites.

I think I've been infected with this or something very similar. It has killed 2 windows 10 enterprise computers, 1 Ubuntu, and 2 Android Galaxy S8 cell phones. I'm pretty sure it has also infected the bios of my cable modem. Has anyone developed a removal procedure yet? I'm desperate at this point and I'm willing to try anything that anyone has.